In a technological era where Big Data is “the new black gold”, European and international policy makers face the tough challenge of putting in place an enabling framework for business and innovation, whilst not sacrificing privacy.

On the European side, it is now being reported the Commission is expected on 11 January 2017 to publish a Communication for the free flow of data initiative, while the Council had been expected to strike a deal on the Trade in Services Agreement on 5-6 December 2016, but that meeting has now been postponed, because the EU said it might not have a consolidated position on data flows for several more months.

‘Free flow of data’ has become the hot buzz-phrase in the Brussels bubble. However, the concept covers so many facets of European and international data transfers that the components of this ‘free flow’ have to be looked at in a more detailed way, in order to understand what one is talking about. Specifically, this term can cover intra-EU flows, EU-US flows, emerging issues such as access to data and ownership of data, as well as storing and processing of data. It can also cover different categories of data, which would dictate a sectoral approach – or so the majority argues. All of this comes packaged with privacy concerns.

Several EU studies are ongoing, compiling evidence for the negative effects of data location restrictions, as well as evidence for the emerging issues of the free flow of data, including liability of robots*. The results of these studies are expected to justify the measures that the Commission is about to put on the table in January 2017. Starting back in October 2015 (C-SIG plenary), through to the EU high level conference hosted by Commissioner Oettinger in October 2016, stakeholders have almost unanimously been calling for the removal of unjustified data location restrictions. The vast majority of Member States asked to ensure that “data can move freely across borders, both within and outside the EU, by removing all unjustified barriers to the free flow of data”, while Estonia even referred to the free flow of data as the fifth freedom of movement. Also various key stakeholders recently addressed a letter to the Commission asking it to future-proof the single market by enabling the free flow of data.

The data localisation restrictions are the core issue undermining the free movement of data across borders. Up to now, we had seen a rather strong positioning on the part of the Commission , that it would come forward with a regulation addressing data location restrictions. Even the Commission’s inception impact assessment published earlier in October underlined the legal uncertainty and lost benefits due to data location restrictions. However, in the last week it has been reported that these ambitions may be subject to reconsideration.

The data localisation restrictions are the core issue undermining the free movement of data across borders.

More and more messages are coming from specific Member States (e.g., France and Germany), favouring data location restrictions, justified by privacy concerns, as well as the potential for restrictions to promote local value creation, resulting from the analysis and processing of European data. The discussion seems focused on the EU-US transfers of data, which are governed by the Privacy Shield. Some still expect that this new agreement would be struck down in Court, and privacy concerns seem still to be a recurrent issue.

While the EU is trying to find its position, big companies do not patiently wait. They have already made investment decisions to build data centres in Europe, justified by political considerations. The Chinese tech giant Alibaba will build its first European data centre in Germany, Amazon Web Services already unveiled plans for new data centres in France, Microsoft said it was investing more than €3 billion to expand its cloud services in Europe and IBM announced that it would set up 4 new cloud data centres in UK.

The longer the EU waits before removing data location restrictions, the more collateral damage is suffered by European startups and SMEs. Although on the one hand the Commission revealed its Start-up and Scale-up Initiative this week and plans to help start-ups stay and grow in Europe, on the other hand the regulatory framework for data flows is contradicting this very aim by fragmenting the digital market.

In the latest drafting stages of the expected proposal, one needs to remember that keeping a “fortress Europe” approach cannot support innovation and cannot encourage global competition by favouring protectionism. What is needed is a common high level standard of privacy, which can support the free flow of data both within and outside the EU, while ensuring that citizens can trust their service providers, no matter where their data is stored or processed.

* For transparency, OFE is a subcontractor of the consortium carrying out the “study on emerging issues of data ownership, interoperability, (re)usability and access to data, and liability”.

Comments

*The longer the EU waits before removing data location restrictions, the more collateral damage is suffered by European startups and SMEs.*

Humbug! Data localization requirements are the number one logical consequence and only defense – provided the US government does not stop its business espionage, mass surveillance and fails to adapt its privacy laws to the EU Acquis. What you propose is victim-blaming and inciting defeatism of the public interest and EU officials in the lights of the Snowden revelations. Your clients, American corporations, should encourage the US government to stop its spying against the EU instead.

Any US company that lobbies against data localization requirements should be banned from lobbying in Brussels and its lobbyists and collaborators visa canceled and expelled from the EU as a national security threat. Any sane European official has to butcher your trojan horses.

The issues discussed in Brussels are exactly those highlighted by the recent decision I quoted. The discussion in Brussels is *not* about letting all data go, but it is about striking the balance between which data that originated in the EU is worth protecting, and which data may be allowed to travel worldwide to countries with far less privacy protection concerns than the EU.